Search

SearchLoading

Executive Summaries Oct 18, 2024

Right to Data Portability: Is your Organization Ready?

By

Aya Barbach, Gabriel Melançon

On September 22, 2024, the final phase of the changes brought by Act 25 in Québec came into force with the introduction of the right to data portability. The new measure affects most organizations, in particular in the way they’ll need to respond to requests from concerned individuals, with the obligation to set up technological means to provide access to their personal information. 

What is the Right to Data Portability?

This new obligation is inspired by the General Data Protection Regulation (GDPR), adopted in Europe. It allows individuals concerned by the personal information held by an organization to receive computerized personal information in a structured and commonly used technology format that was collected by the organization from such individuals. 

By exercising their right to data portability, individuals may obtain their personal information, in a technological format, which an organization has collected electronically, notably to make it easier for them to hire the services of another organization and enable system interoperability. As an example, and subject to the application of sector-specific legislation, individuals may exercise their right to data portability when opening a bank account in a new financial institution by asking their current bank to supply them with all the computerized personal information provided when the first account was created, in accordance with the provincial and federal laws that apply. Job applicants may also request that the personal information they have provided on an online form be communicated to them. 

The right to data portability exists as a complement to the customary mechanism for requesting access to personal information provided for by Act 25. Since the amendments to the Act respecting the protection of personal information in the private sector came into effect in September 2023, individuals may have access to this type of personal information in the form of a written and intelligible transcript. 

 

What Personal Information would be Subject to the Right to Data Portability?

To be subject to the right to data portability, personal information must: 

  • Have been collected from the individual exercising his right to data portability; 
  • Be stored on a computerized medium. Accordingly, personal information collected using physical means, including printed forms or handwritten notes, may not be subject to the right to data portability; and 
  • Exclude personal information that has been created or inferred from the information that was provided to the organization. 

By way of example, personal information provided by a consumer who purchases clothing online, including shipping address, e-mail address, name, and credit card details, is all personal information subject to the right to data portability. Personal information such as a person’s height or gender, which may be inferred from the personal information provided for an online clothing order, may not be subject to the right to data portability. Likewise, if the company has designed a sophisticated buyer categorization system, the category to which this buter belongs would not have to be disclosed. 

 

How to Exercise One’s Right to Data Portability

Within 30 days of a written request from individuals, organizations that hold digitized personal information meeting the aforementioned criteria must provide the information in a “structured, commonly used technological format”. This concept is not explicitly set out in Québec law, but may be interpreted in a manner similar to the GDPR and in the same manner as the Québec government applies it to public organizations. Accordingly, in the absence of a clear guideline from Commission d’accès à l’information (CAI), the data format may be XML, JSON or CSV, and a “structured and commonly used format” may allow individuals to reuse their personal information for another service or to provide it to another organization.

 

What is the Limit to the Right to Data Portability? 

Organizations may decline to grant a data portability request if it would lead to serious practical difficulties, for example, if transferring personal information to a structured technological format proves too complex. This exception is not detailed in law and may be subject to guidelines issued by Commission d’accès à l’information. 

On its web site, CAI indicates that this is a case-by-case issue; moreover, it cites an example where it ruled that the significant costs involved in responding to a request would cause a serious practical difficulty.

 

How your Organization can comply with the Right to Data Portability

To ensure its readiness to respond to requests from individuals asserting their right to data portability, your organization would be well advised to: 

  • Ensure, if you have not already done so, that your privacy policies are up to date, indicate the person to contact within your organization, and include the procedures for exercising the right to data portability; 
  • Be able to distinguish between computerized personal information that you hold that have been collected from the individual making the request and personal information that have been inferred from the individual’s personal information; 
  • Have the technological tools needed to communicate this personal information in a structured and commonly used technological format; and
  • Be able, wherever appropriate, to explain to individuals that you are unable to comply with their data portability request for reasons of serious practical difficulties. 

Organizations must respond to requests for the right to data portability within 30 days of receipt, failing which they will be deemed to have refused to grant the request and may be subject to a disagreement application filed with Commission d'accès à l'information. 

 

You would also like

Executive Summaries Dec 2, 2024
Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

News of the Firm Nov 21, 2024
Entrepreneurship forum

Entrepreneurship Forum: Vision 2025
Executive Summaries Nov 6, 2024
Athlete

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

Executive Summaries Nov 1, 2024
data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

News of the Firm Oct 9, 2024
Tech Forum 360

Tech 360 Forum: Growth and Inflection Points
News of the Firm Jun 3, 2024

Prospera: Québec’s Economic Barometer
Press Release May 14, 2024

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year
Press Release Apr 2, 2024
paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

Press Release Jan 10, 2024
new-partners-2024

BCF Has Appointed Three New Partners
News of the Firm Dec 1, 2023

Who’s Who Legal : 5 BCF Professionals Stand Out
Press Release Dec 1, 2023

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year
Executive Summaries Nov 23, 2023

Demystifying Privacy Impact Assessments (PIAs)
Executive Summaries Nov 21, 2023

The Data Processing Agreement: An Essential Resource to Implement
Executive Summaries Nov 15, 2023
camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management
Training and Events Nov 7, 2023
forum-privacy-en

Strategic Forum on Enterprise Data Protection
News of the Firm Sep 28, 2023

Chambers Canada Ranking: Five of our Lawyers Recognized
Press Release Sep 11, 2023
Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm
News of the Firm Jul 13, 2023

Prospera – Quebec Economic Barometer
Media Coverage Jun 19, 2023

Julien Tricart, Member of the Meritas Sports Law Group
News of the Firm Jun 1, 2023

Pride Month: Let’s Create an Inclusive Future
News of the Firm May 10, 2023

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year
Executive Summaries Mar 30, 2023

New Privacy Requirements: Is Your Business Compliant?
News of the Firm Mar 8, 2023

Every Woman Counts
Training and Events Feb 27, 2023

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change
Press Release Feb 27, 2023

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties
Press Release Feb 14, 2023

BCF's More Inclusive Approach: Improved Parental Leave
Press Release Feb 8, 2023

Shaun E. Finn Appointed to the Superior Court of Québec
Major Cases Feb 3, 2023

How to Ensure a Business Succession?
Executive Summaries Jan 24, 2023
Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?
Training and Events Jan 17, 2023

Strategic Forum on Market Consolidation and Business Succession
Press Release Dec 5, 2022

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities
Executive Summaries Nov 2, 2022

What Are the Best Practices for Managing Privacy Incidents?
News of the Firm Oct 20, 2022

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector
Executive Summaries Oct 14, 2022

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?
News of the Firm Sep 29, 2022

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking
Executive Summaries Sep 19, 2022

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27
Executive Summaries Sep 16, 2022

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?
Executive Summaries Sep 16, 2022

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy
Executive Summaries Sep 1, 2022

Jocelyn Poirier, BCF’s Chief Privacy Officer
News of the Firm Aug 25, 2022

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch
News of the Firm Jul 21, 2022

Seven New Lawyers Join BCF
Major Cases Jun 14, 2022

Adoption of Bill 96: Be Ready
News of the Firm Jun 1, 2022

Pride Month: The Value of Diversity
Press Release May 16, 2022

BCF, the 3rd Largest Law Firm in Québec
Press Release May 11, 2022

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year
News of the Firm Nov 22, 2021

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms
News of the Firm Sep 20, 2021

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law
News of the Firm Aug 20, 2021

Seven New Lawyers Join BCF
Training and Events May 3, 2021

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices
Media Coverage Apr 26, 2021

A First in Canada: Privacy Class Action Dismissed on the Merits
News of the Firm Mar 22, 2021
escalier

BCF Welcomes Seven New Lawyers
Executive Summaries Dec 15, 2020

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships
News of the Firm Sep 30, 2020

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions
Executive Summaries Jul 24, 2020

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?
Media Coverage Jun 30, 2020

Investigation on Tim Hortons’ Application
Executive Summaries Jun 18, 2020

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?
Media Coverage May 6, 2020

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?
Major Cases Apr 30, 2020

COVID-19: Solutions to Address this Situation
Executive Summaries Apr 27, 2020

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications
Media Coverage Apr 3, 2020

Tracking the COVID-19 Pandemic with Cellphones
Executive Summaries Mar 13, 2020

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy
Press Release Jan 30, 2020

BCF once again ranks as one of Montreal's Top Employers
News of the Firm Jan 13, 2020

BCF Names 16 New Partners for Its 25th Anniversary
Executive Summaries Dec 11, 2019

Joint Controllership or the Risks of using Website Plugins
Executive Summaries Oct 25, 2019

Are You a Leader or a Follower?Results of the Innovation Survey
News of the Firm Oct 1, 2019

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law
Training and Events Sep 20, 2019

Strategic Forum on Innovation
Executive Summaries Sep 16, 2019

Different Legislative Approaches to 5G
Major Cases Sep 9, 2019

Innovating to Survive: Are You a Leader or a Follower?
Executive Summaries Aug 27, 2019

Is Your Company Implementing a New Technology System? Remember to Protect Your Data
Executive Summaries Aug 26, 2019

5G Technology Is Coming: Legal Questions Abound
Executive Summaries Aug 22, 2019

Legal Issues Surrounding the Industrial Revolution 4.0
Executive Summaries Aug 22, 2019

Where Does Québec Stand in Terms of Privacy Class Actions?
Executive Summaries Feb 21, 2019

De-fogging the Cloud Act
Executive Summaries Jan 30, 2019
fenetres

Google and CNIL: a Case of Inappropriately Obtained Consent
Executive Summaries Jun 4, 2018

Best Practices for Québec Companies Receiving European Data
Executive Summaries May 23, 2018

Anonymization? Think Again
Executive Summaries Apr 20, 2018

The Deep Web and Dark Web Demystified for Businesses
Executive Summaries Apr 17, 2018

The GDPR is Coming: How to Get Ready
Media Coverage Apr 9, 2018

Protection of Personal Data: New Measures Put in Place by the European Union
Executive Summaries Apr 6, 2018

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

Get the latest thought leadership